My ISP gives me a /56 prefix but also forces a daily disconnection. I have tried to work around that for openvpn, while doable I decided it wasn't worth the hassle since I also still have a /48 from tunnelbroker.net: I can use the dynamic /56 for outbound connections since it gives the most bandwidth and the other connection for the vpn and the raspi.
Now my question: the raspi is running an ADS-B server which I exposed with a static IPv6 address. Past tense, because now my lan is using the dynamic prefix from the ISP and only the vpn interface has a /64 carved out of the static /48, so the raspi is inaccessible from outside not because of firewall changes but simply because it is not where it is supposed to be.
What are my options here? Thinking out loud...
create a new vlan with ip6class pointing to tunnel connection? (easy to do, looks unnecessary, though)
add ip6class of tunnel to main vlan where the raspi (and most other devices) already are? (drawbacks unknown)
something else? (except nat, makes no sense having a static address)
What happens when an interface on the router has more than one /64 from different ip6class? Perhaps more importantly, if the downstream devices get a lease from both ISP and tunnel prefixes, could I set a preference for outgoing connections?
I am trying with no ip6class keyword on the main vlan, which means all available prefixes are used. So far, so good: the raspi also gets a tunnel address.
Now trying to set a preference for ISP vs tunnel via preferred lifetimes but not much luck.
The tunnel has a longer lifetime and still gets chosen, both on the raspi and on the desktop.
Is there a way to, basically, advise downstream devices that the address should not be used for outbound connections? (including temporary addresses)
You can set preferences for routes with IPv6 icmp router advertisements, yes. I have not digged into how to do it with an vanilla OpenWrt.
With radvd or bird you can set attributes for each prefix.
I noticed your question here is related to Openvpn ipv6 via pppoe. Looking at both together, I think we need to address something important first.
A quick reminder: In our previous thread, I provided you with the complete solution in post #6 (ip6class 'wan_6', script changes, etc.). You then reverted those changes and decided to use the tunnel workaround instead, without fully testing the solution. The current effort with VLAN/radvd/lifetime management is a direct consequence of that decision - the 'simpler' workaround has now created additional complexity. For the future, I'd recommend: when a solution is offered, it's worth implementing and testing it completely before switching to workarounds. This saves time and effort in the long run - for you and for everyone helping.
That said, to provide you with the correct configuration: Which router model and hardware setup do you have? That information would be helpful for a more precise answer.
@_bernd ok, thanks for the info, I am indeed looking for a solution that could be implemented without additional packages and as much as possible through configuration instead of scripting.
@Sm00shed the reason I switched to workarounds is that the proposed solution would have addressed only one problem, namely that of supporting the vpn server with a dynamic prefix. Given that I also had to expose a local webserver, which would involve dynamically rewriting firewall rules, I reconsidered the whole plan, which is a smart approach if you do not have infinite time available. The current effort is, if you will, a consequence of realizing too late that I would have beautifully solved one issue and made absolutely no progress for the other
Not sure what the router model has to do with it but I am using a FritzBox 4040, with one DSL connection. Locally I have split the bridge in two VLANs, the main one called "casa" (3 ports plus wifi) and a "guest" one (1 port plus wifi). Before upgrading to 25.x I could not get IPv6 from my ISP and I relied exclusively on a /48 from tunnelbroker for IPv6 connectivity. When I realized that the ISP IPv6 connection was also working, I started thinking how to restructure the setup. Again, the goals change when I learn how easy / stable / reasonable each approach is, also considering how much I would have to tweak device configs, DNS, and so on.
The next step, after upgrading to the new point release, will be segregating the prefixes as follows: main vlan with ISP prefix, while guest and vpn will get /64 carved out from the /48 offered by the tunnel. The guest is rarely used and I do not care much if outbound v6 performance is not wire-speed: VPN and webserver stability are more important.
After that, with no definitive timeframe, I might retry dealing with lifetimes and multiple prefixes on the guest vlan. Why? Curiosity. After all, from way back on "white russian" until now, using openwrt has been as much about learning as it was about flexibility and control. Hope this provides sufficient context.
Why? You can port forward using the (what should be) static suffix for the server and a “-64” netmask. That will allow the port forward to work regardless of the changing prefix.
I also have a OpenVPN and WireGuard server running with Dynamic IPv6 prefix.
I use the negative netmask as described by @krazeh for port forwarding and internally the VPN servers use ULA addresses and you can use IPv6 NPT (Network Prefix Translation) or selective NAT66 for IPv6 access
I had grown accustomed to IPv6 having a big enough address space that you would not need NAT anymore, which is why I am primarily thinking in terms of traffic rules for the webserver, not portforwarding and NAT. I have saved the link to IPv6 NPT, will come back to that in a couple of weeks.
I have searched quite a bit in the forum (and elsewhere) but the issue is always asking the right question. If I understand correctly, your setup requires just NPT, the openvpn server only deals with the ULA address (endpoint, dns, routes, what have you) and no hotplug scripting is needed, just the one for the firewall, correct? The same would also apply to the webserver? If memory serves me right, the firewall is reloaded anyway when an interface changes status.
How does it compare. in terms of CPU load and speed, to a static address? We're dealing with a 100mbps connection, so it is not terribly demanding.
You do not actually port forward with the negative netmask but it is a traffic rule indeed to allow traffic to an IPv6 GUA address on your network
Nothing wrong with NPT6 or Selective NAT66 for your VPN which is often the easiest solution.
For WireGuard this is how I do it including IPv6 setup: WireGuard Server Setup Guide
@aboaboit - I asked about your router model because you mentioned VLAN (option 1) as "easy to do" and I was considering whether this would be the cleanest solution for your setup.
When I read your description, I initially assumed that Port 4 was dedicated to the Raspi - but even after reading your posts multiple times, the physical connection isn't entirely clear to me. So let me ask:
Is it correct that:
Guest VLAN = Port 4 (physical) + Guest WiFi (SSID)
Raspi is connected to Port 4 (same physical port as Guest)
You access the Guest network via WiFi
Additional question about your plan:
You wrote "guest and vpn will get /64 carved out from the /48" - should the Raspi:
Run in the Guest VLAN (shares the /64 with Guest), or
Option 1 (Raspi in Guest VLAN): You could use Port 4 exclusively for Guest + Raspi with HE.net prefix (static, accessible from outside), while Guest WiFi remains WiFi-only on ISP prefix.
Option 2 (Raspi separate /64): We'd need a different port assignment or VLAN tagging.
Openwrt by default creates a bridge between all the wired ports and a single SSID, I only expanded on that by splitting the 4 ports in 3+1, then creating an additional bridge for guest, which therefore might be used either directly on port 4 or via wifi with the corresponding SSID.
In my specific setup, the raspi is not physically close to the router, so wifi it is. The interim solution, until such time as I can really dig into @egc suggestion, will be your option 1.
# Casa Interface - ISP prefix
config interface 'casa'
# ... your existing settings ...
option ip6assign '64'
list ip6class 'wan6' # ISP prefix
# Guest Interface - HE.net prefix
config interface 'guest'
# ... your existing settings ...
option ip6assign '64'
list ip6class 'YOUR_HE_TUNNEL_NAME' # Replace with the name of your HE.net tunnel interface
Important note regarding the PPPoE/DHCPv6 bug:
If you're experiencing the Prefix Delegation issue (wan6 vs wan_6, see https://github.com/openwrt/netifd/issues/72), you may need to use list ip6class 'wan_6' (with underscore) instead of 'wan6' until the bug is fixed. You can check this by running ifstatus wan6 and ifstatus wan_6 after reboot - if only wan_6 exists, use the underscore.
Result:
Raspi (on Guest WiFi) gets static IPv6 from HE.net /48 → accessible from outside
Casa devices get dynamic ISP prefix → fast
No preference issues, as each VLAN only has one prefix
